The concepts of machine learning and artificial intelligence have grown to become almost synonymous with information security and the protection of data – with more and more enterprises turning to automation and ‘cognitive computing’ to improve the proficiency of their security efforts.
From providing quicker response times and better threat detection, to the ability to process and analyze large amounts of data and free up vital staff time – the benefits of autonomous technologies are well-documented.
However, it is a technology very much in its infancy, with much confusion around its true nature and capabilities.
Infosecurity spoke with Giovanni Vigna, Professor, UCSB & CTO, Lastline, Inc. to get his take on the important distinction between machine learning and artificial intelligence, weaknesses of automation and strategies for improving the effectiveness of such technology in information security.
What do you see as the difference between artificial intelligence and machine learning?
Machine learning is a subset of artificial intelligence. Artificial intelligence contains other approaches (e.g. expert systems) that are not machine learning.
Is machine learning/artificial intelligence the silver bullet that many think it is?
No. Machine learning is a predictive technique that can assist in certain tasks. However, by its nature, machine learning cannot be perfect, as it is an approximation of the characterization of a domain. It is very useful, sometimes indispensable, but not a solve-all-problem technology.
What are the strengths of machine learning and artificial intelligence in cybersecurity?
The strengths of machine learning are fundamentally two: first of all, the ability to cluster together similar events. This allows one to address many (almost identical events) with a single action (e.g. block all the emails that are part of a spam campaign, that are very much similar to each other). Second, machine learning allows one to learn a classifier; that is, given a number of known good events and known bad events, machine learning builds a model that is able to say if a new event is good and bad. By doing this it is possible to operate at scale and process events at a rate that was simply unthinkable five years ago.
What are the weaknesses of machine learning and artificial intelligence in cybersecurity?
The main weakness is adversarial machine learning. Most machine learning techniques have been developed to characterize data (such as images or sounds) that were not actively resisting classification. Instead, in the security field, the events that one tries to classify are generated by malicious actors who might know about the machine learning approaches being used or even about the models that were established, and will change their attacks to try to appear as benign.
What is needed to make it truly effective when securing the enterprise?
Machine learning and artificial intelligence cannot be used in isolation. Companies need to look for solutions that use a composition of approaches (heuristics, expert systems, signatures – yes, I said signatures, and others) in order to cover the blind spots of machine learning-based approaches.